I have had the honor and pleasure of interviewing for some genuinely great security teams. Unfortunately, I am not good at the interview process. This has cost me several opportunities that I feel that I would have enjoyed. I assume other people have had these same problems. This blog post will outline the areas in which I underperformed during the process of these interviews. Eventually, I will add answers to these topics as separate posts.
Out of respect for the teams that I have interviewed with, I will not reveal who asked what or give the exact questions asked with the exceptions of the ones taken directly from popular question pools online. Do not ask me which companies asked which questions because you will not get it from me.
Technical deficiencies are usually easy to overcome. There are plenty of resources out there to research and practice technical skills. Also noteworthy is almost all of the questions I’ve had at security interviews are either directly from or derivatives of Daniel Miessler’s security interview questions blog post. If you are preparing for a security interview, you are doing yourself a disservice by not studying these questions. From experience, you are going to be asked at least a handful of these questions.
The hardest part for me is practicing soft skills. In particular, recovering gracefully from mistakes, speaking comfortably with strangers, and dealing with nerves. I’m usually not intimidated by people, but it does take time for me to warm up and be comfortable talking to them. The nature of job interviews is being on your A game towards a complete stranger or even a room full of them. This messes me up in spectacular fashion and makes me feel like an idiot EVERY TIME. I have not felt comfortable at a single job interview, no matter how informal or what the position was.
People suggest Toastmasters groups, karaoke, stand up comedy, presenting at local meetups, and a number of other things as practice. I’ve done presentations for smaller groups, competed in martial arts tournaments with big crowds, and karaoke. I’ve mostly conquered my nerves for these types of things. These don’t bother me because my future, my family’s well-being, and large amounts of money are not on the line. Frankly, I am not worried what some heckler has to say about my leisurely pursuits, but when a 6 figure salary or an excellent opportunity is on the line, it really toys with my emotions.
With this introduction out of the way, here are some real-world examples of the areas and questions that I felt that I performed poorly at one point or another:
Human being problems
- Eye contact, posture, handshakes, and overall confidence.
- Regaining composure after making mistakes.
- Tell me about yourself.
- Why should we hire you?
- Who do you admire?
- What is one skill you wish you had?
- Where do you see yourself in X years?
- What are your goals?
Open-ended, vague questions
- Open-ended questions in general.
- Where would you look on a Windows machine when performing forensics?
- Design the ultimate web shell.
- How do you secure <insert technology here?>
- Explain what happens when you type an URL into a browser’s address bar and press enter.
- How would you perform a web application security assessment?
- How would you approach performing a WiFi security assessment?
- If you could only look at ten different Windows EventLogs in your environment, what would they be?
- If you could redesign any protocol in wide use today, what would you change and why?
- Writing code on a whiteboard.
- Programming interviews in general.
- Explaining my thought process as I go.
- Big O notation.
- Solving problems without manuals, Google, and “being right” on the first try.
Specific technical questions
- Describe COM object hijacking.
- Describe CSRF.
- SSL and TLS in general: handshake, the difference between the two, technical questions about their implementations.
- Difference between symmetric and asymmetric encryption.
- Difference between Diffie-Helman and RSA.
- Describe how Diffie-Helman works.